unable to filter using keyvalue output fields

Follow

Trijimon P R

• October 13, 2022 06:06
• Edited

Hi,

I am trying to parse, extract and filter messages based on certain values in the keyvalue output. However, the query does not return any results.

Sample message - 

?module=10&error=20&build=D774E8156A7D4097835A88220AFD001F&d=0&f=0&g=1439493e-f3c7-11de-9f43-002564d1a106&i=0&k=2&language=09.01&m=5&n=0&o=92&platform=windows&q=21398853&s=0FF06654-3DB4-48EC-B8C9-63EB724BACDC&u=0&v=4.5.6.7&version=1.2.3.4&x=0&z=0

Query:

_sourceCategory=sample_log
| replace(_raw, "?","") as _raw| replace(_raw, "&"," ") as _raw || keyvalue auto | where error="20"

I am able to see the extracted fields in the sidebar when I remove the where clause. Any suggestions on how to get this to work?

Thank you!

0

• Official comment

  

  Jorge Silva

  • October 13, 2022 20:29

  This usually happens when the encoding of the file doesn't match the encoding selected in the source's configuration page. If there is a mismatch, then you need to change the file to match the encoding configure on the source or vice-versa.

  Comment actions Permalink

Please sign in to leave a comment.